100 

INTERCEPT, IN A NONINTRUSIVE MANNER, A DATA ACCESS 
TRANSACTION BETWEEN A USER APPLICATION AND A DATA 
REPOSITORY HAVING DATA ITEMS 



101 

NONINTRUSIVE MANNER IS UNDETECTABLE TO THE USER 
APPLICATION AND UNDETECTABLE TO THE DATA REPOSITORY 



102 

DETERMINE IF THE INTERCEPTED DATA ACCESS TRANSACTION 
CORRESPONDS TO A SECURITY POLICY, THE SECURITY POLICY 
INDICATIVE OF RESTRICTED DATA ITEMS IN THE DATA REPOSITORY TO 
WHICH THE USER APPLICATION IS PROHIBITED ACCESS 



103 

LIMIT, BASED ON THE SECURITY POLICY, THE DATA ACCESS 

TRANSACTION 



104 

MODIFY THE DATA ACCESS TRANSACTION SUCH THAT DATA 
INDICATIONS IN THE DATA ACCESS TRANSACTION CORRESPONDING 
TO RESTRICTED DATA ITEMS, ACCORDING TO THE SECURITY POLICY, 
ARE ELIMINATED FROM THE RESULTING DATA ACCESS TRANSACTION 



Fig. 2 



200 

INTERCEPT, IN A NONINTRUSIVE MANNER, A DATA ACCESS 
TRANSACTION BETWEEN A USER APPLICATION AND A DATA 
REPOSITORY HAVING DATA ITEMS 




202 

ESTABLISH A PROXY TO THE 
DATA REPOSITORY ON 
BEHALF OF THE USER 



203 

DETERMINE IF THE INTERCEPTED DATA ACCESS TRANSACTION 
CORRESPONDS TO A SECURITY POLICY, THE SECURITY POLICY INDICATIVE 
OF RESTRICTED DATA ITEMS IN THE DATA REPOSITORY TO WHICH THE USER 
APPLICATION IS PROHIBITED ACCESS 



204 

SECURITY POLICY HAS RULES, EACH OF THE RULES INCLUDING AN 
OBJECT, A SELECTION CRITERIA AND AN ACTION, THE ACTION 
INDICATIVE OF THE RESTRICTED DATA ITEMS 



206 
ALLOW 

ACCESS 



-ALLOW. 




DENY- 



207 
DENY 

ACCESS 



208 

IDENTIFY DATA ITEMS CORRESPONDING TO THE ATTRIBUTES, EACH OF 
THE ATTRIBUTES ASSOCIATED WITH AN OPERATOR AND AN OPERAND 



I 



209 

226 APPLYING AN OPERATOR SPECIFIED FOR THE DATA ITEM 
TO THE OPERAND SPECIFIED FOR THE DATA ITEM 



T 



Fig. 



210 

DETERMINE, AS A RESULT OF APPLYING THE OPERATOR, WHETHER TO 
ELIMINATE THE IDENTIFIED DATA ITEM 



211 

LIMIT, BASED ON THE SECURITY POLICY, THE DATA ACCESS TRANSACTION 



212 

MODIFY THE DATA ACCESS TRANSACTION SUCH THAT DATA 
INDICATIONS IN THE DATA ACCESS TRANSACTION CORRESPONDING 
TO RESTRICTED DATA ITEMS, ACCORDING TO THE SECURITY POLICY, 
ARE ELIMINATED FROM THE RESULTING DATA ACCESS TRANSACTION 



t 

213 

DATA INDICATIONS ARE REFERENCES TO DATA ITEMS IN THE DATA 
REPOSITORY AND LIMITING FURTHER INCLUDES QUALIFYING THE 
REFERENCES TO GENERATE A MODIFIED REQUEST INDICATIVE OF 
UNRESTRICTED DATA ITEMS, SUCH THAT SUCCESSIVE RETRIEVAL 
OPERATIONS EMPLOYING THE QUALIFIED REFERENCES DO NOT 
RETRIEVE RESTRICTED DATA ITEMS 



214 

DATA ACCESS TRANSACTION IS A DATA ACCESS STATEMENT AND 
LIMITING FURTHER COMPRISES IDENTIFYING AT LEAST ONE RULE, 
ACCORDING TO THE SECURITY POLICY, CORRESPONDING TO THE 

DATA ACCESS STATEMENT, THE IDENTIFIED RULE RESTRICTING 
ACCESS TO AT LEAST ONE OF THE DATA ITEMS INDICATED BY THE 
DATA ACCESS STATEMENT 



Fig. 5 



A 

215 

CONCATENATE SELECTION QUALIFIERS TO THE DATA ACCESS STATEMENT 
CORRESPONDING TO THE IDENTIFIED RULE, THE SELECTION QUALIFIERS 
OPERABLE TO OMIT THE RESTRICTED DATA ITEMS FROM THE QUALIFIED 
REFERENCES OF THE DATA ACCESS STATEMENT 



216 

RECEIVE AN SQL QUERY AND LIMITING INCLUDES APPENDING 
CONDITIONAL SELECTION STATEMENTS TO THE SQL QUERY, THE 
CONDITIONAL SELECTION STATEMENTS COMPUTED FROM THE 
SECURITY POLICY, TO GENERATE THE RESULTING DATA ACCESS 

TRANSACTION 



217 



BUILD A PARSE TREE CORRESPONDING TO THE SQL 

QUERY 



I 



218 

ADD NODES IN THE PARSE TREE CORRESPONDING 
TO THE APPENDED CONDITIONAL SELECTION 
STATEMENTS 



219 

REPROCESS THE PARSE TREE TO GENERATE THE 
RESULTING DATA ACCESS TRANSACTION 



T 



Fig. 6 



A 

220 

RECEIVE A SET OF PACKETS, THE PACKETS 
ENCAPSULATING THE DATA ACCESS TRANSACTION 
ACCORDING TO LAYERED PROTOCOLS 




DIRECT 



222 

GENERATE THE RESULTING DATA ACCESS TRANSACTION 
PRESERVING THE ENCAPSULATING LAYERED PROTOCOL 

ASSOCIATING THE PACKETS WITHOUT EMPLOYING A 
PROXY FOR REGENERATING THE SEQUENCE OF PACKETS 



223 

INTERROGATE AND MODIFY THE PACKETS IN A 
NONDESTRUCTIVE MANNER WITH RESPECT TO 
THE LAYERED PROTOCOLS 



I 



224 

PAD THE PACKETS FOR ACCOMMODATING 
ELIMINATION OF THE RESTRICTED DATA ITEMS TO 
GENERATE THE RESULTING DATA ACCESS 
TRANSACTION 



PROXY 



225 

RECEIVE DATA 

ACCESS 
TRASACTION 
STREAM VIA PROXY 
AND REGENERATE 
DATA ACCESS 
RESULT 



226 
FORWARD 

GENERATED 

RESULTING 

DATBASE ACCESS 

TRANSACTION 

STREAM VIA USER 

LOGIN 



1 



227 

TRANSMIT RESULTING 
DATA ACCESS 
TRANSACTION 



Fig. 7 



300 

INTERCEPT IN A NONINTRUSIVE MANNER, A DATA ACCESS 
TRANSACTION BETWEEN A USER APPLICATION AND A DATA 
REPOSITORY HAVING DATA ITEMS 



301 

ESTABLISH A PROXY TO THE DATA REPOSITORY ON 
BEHALF OF THE USER 



I 

302 

RECEIVE THE DATA ACCESS TRANSACTION AS A 
ROW SET UNDER THE PROXY 



I 

303 

REGENERATE THE RESULTING DATA ACCESS 
TRANSACTION AS A REDUCED ROW SET HAVING A 
SUBSET OF THE ROWS FROM THE PROXY ROW SET 



I 

304 

DETERMINE IF THE INTERCEPTED DATA ACCESS TRANSACTION 
CORRESPONDS TO A SECURITY POLICY, THE SECURITY POLICY 
INDICATIVE OF RESTRICTED DATA ITEMS IN THE DATA REPOSITORY TO 
WHICH THE USER APPLICATION IS PROHIBITED ACCESS 



305 

SECURITY POLICY HAS RULES, EACH OF THE RULES 
INCLUDING AN OBJECT, A SELECTION CRITERIA AND AN 
ACTION, THE ACTION INDICATIVE OF THE RESTRICTED DATA 

ITEMS 

306 

ACTIONS ARE SELECTIVELY INDICATIVE OF MODIFICATIONS, 
THE MODIFICATIONS FURTHER COMPRISING ATTRIBUTES, 
OPERATORS, AND OPERANDS, THE LIMITING FURTHER 
COMPRISING 

IDENTIFYING DATA ITEMS CORRESPONDING TO THE 
ATTRIBUTES, EACH OF THE ATTRIBUTES ASSOCIATED WITH 
AN OPERATOR AND AN OPERAND 



307 

FOR EACH ROW IN THE 
ROW SET 



308 

APPLY AN OPERATOR SPECIFIED FOR THE DATA ITEM TO 
THE OPERAND SPECIFIED FOR THE DATA ITEM 

* 

309 

228 DETERMINE, AS A RESULT OF APPLYING THE OPERATOR, 
WHETHER TO ELIMINATE THE IDENTIFIED DATA ITEM 




311 

IDENTIFY LIMITATIONS, BASED ON THE SECURITY POLICY, FOR THE DATA 

ACCESS TRANSACTION 



312 

MODIFY THE DATA ACCESS TRANSACTION SUCH THAT DATA 
INDICATIONS IN THE DATA ACCESS TRANSACTION CORRESPONDING 
TO RESTRICTED DATA ITEMS, ACCORDING TO THE SECURITY POLICY, 
ARE ELIMINATED FROM THE RESULTING DATA ACCESS TRANSACTION. 



I 



313 

INTERCEPT THE DATA QUERY RESPONSE FROM THE DATA 
REPOSITORY AS THE DATA ACCESS TRANSACTION, THE DATA QUERY 
RESPONSE ENCAPSULATED AS A ROW SET HAVING ROWS FROM A 
RELATIONAL DATABASE QUERY 




Fig. 9 
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315 

DATA INDICATIONS ARE ROWS OF DATA RETRIEVED FROM THE 
DATA REPOSITORY, AND LIMITING INCLUDES 
IDENTIFYING ROWS HAVING RESTRICTED DATA ITEMS 




316 

ELIMINATE THE IDENTIFIED ROWS FROM THE DATA ITEM 
TRANSACTION SUCH THAT THE RESULTING DATA ACCESS 
TRANSACTION IS A MODIFIED QUERY RESPONSE INCLUDING 
ROWS WITHOUT RESTRICTED DATA ITEMS 










317 

DATA ACCESS TRANSACTION IS A DATA QUERY RESPONSE 
INCLUDING A ROW SET AND LIMITING FURTHER COMPRISES 
COMPARING EACH OF THE ROWS IN THE ROW SET TO THE 
RULES OF THE SECURITY POLICY 




I 




318 

SELECTIVELY ELIMINATE ROWS IN THE ROW SET INCLUDING 
THE RESTRICTED DATA ITEMS, BASED ON THE COMPARING, 
TO GENERATE A MODIFIED QUERY RESPONSE INCLUDING A 
FILTERED ROW SET 




I 




319 

TRANSMIT THE REDUCED ROW SET TO THE USER ON BEHALF 

OF THE PROXY 







Fig. 10 



